make sure user needs to go through MFA when resetting password

This commit is contained in:
Son Nguyen Kim 2021-07-12 18:56:09 +02:00
parent c011a4b90b
commit 99599bb09f
1 changed files with 4 additions and 3 deletions

View File

@ -4,6 +4,7 @@ from flask_wtf import FlaskForm
from wtforms import StringField, validators
from app.auth.base import auth_bp
from app.auth.views.login_utils import after_login
from app.extensions import db, limiter
from app.models import ResetPasswordCode
@ -57,10 +58,10 @@ def reset_password():
# remove the reset password code
ResetPasswordCode.delete(reset_password_code.id)
db.session.commit()
login_user(user)
return redirect(url_for("dashboard.index"))
# do not use login_user(user) here
# to make sure user needs to go through MFA if enabled
return after_login(user, url_for("dashboard.index"))
return render_template("auth/reset_password.html", form=form)